Security Issue: Unrestricted Login Attempts Enable Credential Stuffing
Description
The /auth/login (or equivalent) endpoint does not implement rate limiting or account lockout. An attacker can make thousands of login attempts per minute to brute-force passwords or perform credential stuffing attacks without any throttling.
Steps to Reproduce
- Send 100 POST requests to the login endpoint within 10 seconds using a script or tool like Hydra
- Observe: all requests are processed without any 429 Too Many Requests response
- No account lockout occurs even after 1000 failed attempts
Root Cause
No rate limiting middleware (e.g. express-rate-limit for Node.js) is applied to the authentication endpoints.
Impact
- Credential stuffing: test leaked credential pairs against RIVETO accounts
- Brute force attack on weak passwords
- Violates OWASP A07:2021 Identification and Authentication Failures
Proposed Fix
Add express-rate-limit to the login route:
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 10, // 10 attempts per window
message: { error: 'Too many login attempts. Please try again later.' },
standardHeaders: true,
legacyHeaders: false,
});
router.post('/login', loginLimiter, loginController);Also implement exponential backoff for repeated failures from the same IP.
I would like to implement this fix if assigned.
Security Issue: Unrestricted Login Attempts Enable Credential Stuffing
Description
The
/auth/login(or equivalent) endpoint does not implement rate limiting or account lockout. An attacker can make thousands of login attempts per minute to brute-force passwords or perform credential stuffing attacks without any throttling.Steps to Reproduce
Root Cause
No rate limiting middleware (e.g.
express-rate-limitfor Node.js) is applied to the authentication endpoints.Impact
Proposed Fix
Add
express-rate-limitto the login route:Also implement exponential backoff for repeated failures from the same IP.
I would like to implement this fix if assigned.